Q&A Does the Brave Browser really beat fingerprinting? (Video)

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,128
Test Link: https://brax.me/geo/

Rob Braxman Tech said:
Brave Browser was revised in 2020 and received a slew of features related to better defense against browser fingerprinting. Or at least that's the claim. In this video we put this to a test, by actually attempting to fingerprint a Brave Browser session in different circumstances while we also theorize some possible ways to evade the defense.

In the end we will figure out exactly what Brave does differently from other browsers and we will see if it lives up to the hype. Is it unbeatable by a browser fingerprint tracker? Or is it flawed?

Find out the results of the actual test. We also compare it to Chrome and Firefox using default settings on those browsers.

 

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955
Not the worst video but also not the best.
At least he speak about limitation and other tracking options which aren't blocked but he miss some like ISP name or using Login/ Accounts.

As i know (from GrapheneOS mod) Safari is the only browser which protect against fingerprinting. I guess Chrome is in some kind good too as it has a lot user, but user need using browser defaults to hide in the mass.
 

Cortex

Level 26
Verified
Aug 4, 2016
1,515
Good video, I've never been a fan of a plethora of plugins to boost security though I have a couple - Used Brave for some time now - It does see the more you try the worse the situation can get, but as billions use the net there is some anonymity through numbers & I avoid the likes of Facebook, twitter etc - However some tracking is inevitable but it rarely caused instant death or a headache? :rolleyes::rolleyes:
 

oldschool

Level 59
Verified
Mar 29, 2018
4,872
I find that ... Another test shows Brave to fail:

Detect Canvas Fingerprint
Not exactly. Did you close Brave while clearing cookies and cache? Check results and repeat. Check results again. ;)

There are so many fingerprinting methods and testing sites such as these. At best, they are all a micro-snapshot in the space-time continuum, with results having little to no value in terms of the browser user-base, the pollution of test results by the small number of users who go to these test sites, etc.

And then there is the problem of high entropy introduced by those who utilize anti-fingerprinting addons, making them more identifiable, not less.
 
Last edited:

Sammo

Level 2
Jan 27, 2012
96
Not exactly. Did you close Brave while clearing cookies and cache? Check results and repeat. Check results again. ;)

There are so many fingerprinting methods and testing sites such as these. At best, they are all a micro-snapshot in the space-time continuum, with results having little to no value in terms of the browser user-base, the pollution of test results by the small number of users who go to these test sites, etc.

And then there is the problem of high entropy introduced by those who utilize anti-fingerprinting addons, making them more identifiable, not less.
I closed Brave and cleared cache and cookies. Same fingerprint always shows and Brave fails.
 

Attachments

  • Fingerprint_test.jpg
    Fingerprint_test.jpg
    82.6 KB · Views: 268

Jan Willy

Level 7
Jul 5, 2019
303

oldschool

Level 59
Verified
Mar 29, 2018
4,872
@Sammo Built-in protections offer the best available methods because they have researchers and tech teams devoted to this. I post this whenever this topic is dicussed. It refers specifically to Firefox, but some of his specific points are generally applicable to any browser.
arkenfox/user.js

⚠️ Anti-Fingerprinting Extensions... F&%K NO!​

  • DON'T BOTHER to USE extension features to CHANGEany RFP protections
    • Exception: where you can whitelist a site for functionality and you know the risks
This is not about the merits of randomizing vs lowering entropy: this is about using the best options available. We support RFP (privacy.resistFingerprinting) as far superior (in the metrics it so far covers)

  • It is trivial to detect RFP and when you change a RFP metric, you lose your "herd immunity"
    • i.e.: you just added more entropy, very likely unique, compared to the already tiny group of RFP users
    • Ask yourself why Tor Project recommends you do not change Tor Browser settings and you do not install extensions
  • RFP is robust and vetted by experts (Mozilla, Tor Project, researchers)
  • RFP is an enforced set where all users should be[1] the same: i.e. uniform, in the same "buckets", or exhibiting the same behavior
    • [1] Don't fiddle with prefs unless you know what they do
  • Extensions aren't robust: either lacking APIs, or are poorly designed, or miss all methods, or it's snake oil (impossible)
    • e.g.: spoof OS? You can't (RFP can do what it likes as it's an enforced set of users)
    • e.g.: spoof user agent, timezone, locale, or language? navigator properties leak via workers and can leak via other methods such as window.open and iframes
    • e.g.: spoof screen? css leaks and matchmedia can leak
    • e.g.: spoof language/locale? Practically impossible, and if (that's a massive "if") it were perfect, then it's no different to setting that as your preferred website language in options
  • Extensions can often be detected
    • e.g. script injection and function names
    • e.g. if not uniquely, then by their behavior and characteristic patterns
    • note: RFP doesn't care if it can be detected, because all users are the "same"
If you don't use RFP, then you're on your own. And don't rely on entropy figures from test sites. The datasets are not real world, very small, and tainted by both the type of visitors, and by their constant tweaking and re-visits which further poison the results and artificially inflate rare results:

  • e.g. on Panopticlick [May 2020]
    • why are 1 in 6.25 (16%) results returning a white canvas (which is statistically only an RFP solution), and 1 in 6.16 (16%) returning a Firefox 68 Windows user agent, and yet Firefox (and Tor Browser) only comprise approx 5% worldwide, in total - actual ESR68 users on Windows, and actual RFP users would both be a tiny fraction of that
    • why are 1 in 1.85 (54%) results returning no plugins, when chrome (at 67% market share) and others by default reveal plugin data
    • remember: very, very, very few users use anti-fingerprinting measures
  • e.g. at amiunique (AmIUnique) [current month: Nov 2020]
    • over half (51%+) are Firefox .. yeah right!
    • over three quarters (77%+) are primarily using en .. yeah right!
    • almost a third (31%+) are UTC .. yeah right!
It takes large real world studies to get the number of results per metric, and it takes a controlled one (one result per browser) to get the distribution in order to get reliable entropy figures. Don't believe the BS.
 
Top